Office of Consumer Affairs and Business Regulation - Finding 5

OCABR did not ensure that access to PII was limited to personnel members with business needs to access it. Specifically, 11 out of 20 personnel members sampled did not have an approved user access request before being granted access to PII.

Granting personnel members access to PII without requiring formal approval of their business need, as well as appropriate training, exposes OCABR to significant risks, such as data breaches. This can lead to identity theft, damaged reputation, or legal liability for OCABR. Each of these risks would have negative impacts on the people whose information is compromised.

The introduction of role-based access controls can be used to ensure that users are being assigned permissions based on their roles and business needs instead of individually assigned permissions on a person-by-person basis. In order to implement role-based access, all information must be classified (see finding 2) to determine what information is confidential, such as PII, and should only be accessed by certain approved individuals in pertinent roles.

Limiting access to PII helps protect the privacy of Massachusetts residents and reduces the risk that their information may be accessed by someone who may mismanage or steal it. 

EOTTSS's Asset Management Standard IS.004 states,

6.2.1.    Confidential—organization or customer information that if inappropriately accessed or disclosed could cause adverse financial, legal, regulatory, or reputational damage to the Commonwealth, its constituents, customers, and business partners. . . .

Except as required by law, confidential information must be access-restricted to a narrow subset of personnel who have a business need to access the information. Examples may include but are not limited to:

6.2.1.1. Personally identifiable information (PII).

OCABR management stated that newly hired personnel members are granted specific role-based access control assignments, which may include authorization for the specific user to access PII if they have a business need to do so. Often this is modeled on existing staff members who, due to their job responsibilities, have access to PII. Currently, these records are documented using the EOTSS-provided IT ticketing system, ServiceNow. Before the implementation of this system, requests could be made and approved via email, in-person conversations, or phone calls.

A list of security groups in Active Directory (a service that IT administrators use to store and manage information on a network about users and devices, such as access permissions) is used to manage systems and data access. Currently, access requests are managed through ServiceNow. Requests for access are routed through the appropriate information technology liaison and designated security officer for review and approval. However, requests before 2023 were not as well documented and some were fulfilled through email requests.

1. OCABR should ensure that every user requiring access to PII has their business need reviewed and approved before access is granted.
2. OCABR should implement role-based access. This new process should align with the principle of least privilege, where users should only be given the minimum level of access necessary to perform their job functions.
3. OCABR should review users’ access to determine whether these users have the appropriate approval, and OCABR should perform this review on a periodic basis.

Prior to full implementation of the ServiceNow system in 2023, access to PII was provided in several controlled ways that did not consistently document approval, including verbal or e-mail requests from appropriate leadership. Approval and access were controlled in the following ways:

1. Initial Onboarding: New-hire requests specify Role-Based Access Control (RBAC) Assignments, access authorization for the specific user to access PII as part of their job function. Often this is modeled on existing staff who, due to their job responsibilities, have access to PII. These records are formal using the ServiceNow ticketing system, however, prior to the implementation of this system, much of the requests were made and approved via email or by audio discussion.
2. Acceptable Use Policy: New hires are required to acknowledge the Acceptable Use Policy as part of the on-boarding process, and annual security training requirements. This is a key explanation and acceptance of working with PII. These records are retained in our training system (Mass Achieve, Cornerstone) however, these records do not go back further than 2022.
3. Security Group Management: This management reflects role-based access. An extensive list of security groups (SG) in Active Directory (MS Azure Entra) is tied to roles and departments and utilized to manage systems and data access. Today, access requests are managed via ServiceNow.
4. Requests for access are routed through the appropriate Information Technology Liaison (ITL) and Designated Security Officer (DSO) for review and approval.
5. [Executive Office of Economic Development (EOED)] and Sub-division Training: EOED has hired a dedicated [chief information security officer] who started in October 2024. In addition, there is a new on-boarding security training, providing new team members an understanding of desired behaviors and security best practices with PII. This new training will be added to the annual security re-training requirement. Additionally, subdivisions are conducting their own awareness training on the location, and authorized access to PII.

OCABR and EOED IT incorporate the ServiceNow system to document access requests and are implementing more stringent controls to ensure PII access is properly authorized to minimum levels, monitored, and periodically reviewed.

OCABR is also taking the following actions:

• Historical Remediation: A retrospective access review of PII-related security groups in Active Directory is underway. Any users without documented business justification will have access reevaluated or revoked where appropriate. We expect to have this completed by end of Q3 2025.
• Role-Based Access Controls: EOED is developing role-based access controls (RBAC) for OCABR applications and Active Directory groups. Roles are being defined based on job functions, and access rights will be aligned to these roles under the principle of least privilege. This work is dependent on the application, and those which do not have this capability to use RBAC and/or AD, are being further evaluated for modernization. A report on which applications are compliant and which require modernization will be completed by end of Q3 2025.
• Periodic Reviews: OCABR is implementing a quarterly access review process to ensure all PII access remains appropriate, with reports generated from Active Directory and ServiceNow where possible.
• Access Training Requirements: The onboarding process for PII access will now include verification of required privacy and security training, in accordance with Acceptable Use and Security Awareness policies.

Based on its response, OCABR is taking measures to address our concerns regarding this matter.